Among businesses, healthcare is one of the sectors most likely to hold personal data. 81% of businesses stating they do, according to the Cyber Security Breaches Survey 2022, which makes them a target for cyber criminals.
And the most common attack is phishing.
There is another couple of statistics from the survey which raises the concern that healthcare companies may be at risk. Only 17% of business have had training or awareness raising sessions on cyber security in the last 12 months and only 19% of businesses have tested their staff with something like mock phishing exercises.
But your staff could be the biggest liability or strength when it comes to identifying phishing, so not showing them the range of malicious communications that cyber criminals are using or not reviewing if your current security awareness training is working, seems to be a serious oversight.
So, we need to train our staff. Anything else?
Your staff are likely to be the contact point where an attack will either succeed or fail, so training them to recognise and report phishing is essential. But there are some technical controls that the National Cyber Security Centre recommend by putting in place a layered approached to phishing.
Make it harder for attacks to get to employees
Employ anti-spoofing (DMARK, SPF, DKIM) – you can check how if your settings are correct at the NCSC’s Email Security Check.
Filter or block incoming phishing emails using your email provider or specific service.
Make employees less likely to fall for the phish and know how to report them
Provide regular training and discussions around phishing attacks. Why not share the reported phishes so everyone can see real examples (remove the links/downloads first though)? The ECRC can provide staff awareness training bespoke to your company and practices.
Have a clear guide about what staff should do if they receive a phish. This also needs to include a clear reporting mechanism if they fall victim to a phish. Some of the phishing are super realistic so don’t blame your staff for not spotting it when they are busy.
Protect your company from undetected attacks
Consider technical defences – anti-malware, blocking specific extensions, disabling macros.
Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns.
Set up 2FA/MFA wherever possible – this way that even if the password and username are compromised in a phishing attack the attacker still shouldn’t be able to get access to the system as they won’t have the 2nd verification factor - WARNING – attackers are now looking at how to phish the authentication codes as well.
Use a password manager or a single sign on method. Due to the autofill component, your employee will get used to not having to fill in their password and may be more likely to question it when they must.
Be able to respond quickly to attacks
Use a security logging system to pick up on those incidents that your users are not aware of. If you don’t have a logging system in place the NCSC has a free tool which enables companies to set up their own basic capability called Logging Made Easy (LME).
Have an incident plan ready and test it. It is almost guaranteed that one day a phishing email will slip in so what will you do about it. If you don’t already know, make sure that you go away and think about it. The ECRC has a free template you can download and use for your organisation if you haven’t got a plan yet and you can test your plan with NCSC’s free Exercise in a box.
Further guidance and support The ECRC is a police-led, not for profit organisation which companies can join for free.
Our core membership provides:
Threat alerts both regionally and nationally
Signposting to free tools and resources from both Policing and the NCSC
Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience